git.ipfire.org Git - thirdparty/glibc.git/commit

author	Florian Weimer <fweimer@redhat.com>
	Tue, 2 Aug 2016 10:24:50 +0000 (12:24 +0200)
committer	Mike Frysinger <vapier@gentoo.org>
	Sat, 12 Nov 2016 05:44:37 +0000 (00:44 -0500)
commit	82b0c63dad2c34183ad26f35891a05a6a1c09462
tree	e208086c5c7d805836c4aa3ba3d7f8936183b1f5	tree
parent	f6de5fee42f7698eab06e2ffb551680f4fb41258	commit \| diff

malloc: Preserve arena free list/thread count invariant [BZ #20370]

It is necessary to preserve the invariant that if an arena is
on the free list, it has thread attach count zero.  Otherwise,
when arena_thread_freeres sees the zero attach count, it will
add it, and without the invariant, an arena could get pushed
to the list twice, resulting in a cycle.

One possible execution trace looks like this:

Thread 1 examines free list and observes it as empty.
Thread 2 exits and adds its arena to the free list,
  with attached_threads == 0).
Thread 1 selects this arena in reused_arena (not from the free list).
Thread 1 increments attached_threads and attaches itself.
  (The arena remains on the free list.)
Thread 1 exits, decrements attached_threads,
  and adds the arena to the free list.

The final step creates a cycle in the usual way (by overwriting the
next_free member with the former list head, while there is another
list item pointing to the arena structure).

tst-malloc-thread-exit exhibits this issue, but it was only visible
with a debugger because the incorrect fix in bug 19243 removed
the assert from get_free_list.

(cherry picked from commit f88aab5d508c13ae4a88124e65773d7d827cd47b)
(cherry picked from commit 026671037948fd31009243a2173278dfa0ac9b25)